Principles of Information Security (Sixth Edition): 1601
List the locations ElastAlert can send alerts
slack, Internal Email servers, External email servers and more
Why are unused ports closed/disabled?
so as to block public access to any services which might be running on the computer without the user's knowledge, whether due to legitimate services being misconfigured, or the presence of malicious software.
What tool was used to import the pcap file into Security Onion?
so-import-pcap
What capability does Docker provide
software container, run and manage apps side-by-side in isolated containers to get better compute density
Spyware
software with malicious behavior that aims to gather information about a person or organization and send such information to another entity in a way that harms the user; for example by violating their privacy or endangering their device's security.
Industrial Espionage
spying directed toward discovering the secrets of a rival manufacturer or other industrial company.
Platform Security Validation
subject organizations to potential threats that they could face, in a bid to discover the weakest links in their cyber security strategy.
Theft
taking of another person's property or services without that person's permission or consent with the intent to deprive the rightful owner of it.
Packet-filtering Firewall
technique used to control network access by monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination Internet Protocol (IP) addresses, protocols and ports.
Accreditation
the action or process of officially recognizing someone as having a particular status or being qualified to perform a particular activity.
Steganography
the art and science of hiding information by embedding messages within other, seemingly harmless messages
Performance Gap
the difference between actual performance and desired performance
Communications Security
the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients.
Scope
the extent of the area or subject matter that something deals with or to which it is relevant.
Vishing
the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
Software piracy
the illegal copying, distribution, or use of software. It is such a profitable "business" that it has caught the attention of organized crime groups in a number of countries. According to the Business Software Alliance (BSA), about 36% of all software in current use is stolen.
padded cell
the intruder is transferred to a padded cell. The padded cell has the look and layout of the actual network, but within the padded cell the intruder can neither perform malicious activities nor access any confidential data.
Hardware
the physical parts of a computer, such as the case, central processing unit, monitor, mouse, keyboard, computer data storage, graphics card, sound card, speakers and motherboard. By contrast, software is the set of instructions that can be stored and run by hardware.
Cryptography
the practice and study of techniques for secure communication in the presence of third parties called adversaries.
Loss Frequency
the probable number of losses that may occur during some given time period
Risk Identification
the process of determining and documenting the potential risks that could occur on a project.
Ciphertext
the result of encryption performed on plaintext using an algorithm, called a cipher.
Residual Risk
the risk that remains after management implements internal controls or some other response to risk
Public Key Infrastructure (PKI)
the system for issuing pairs of public and private keys and corresponding digital certificates
Waterfall
the tasks of each phase must be fully completed before the next phase. This also implies that the complete set of requirements must be defined and fixed at the beginning of the project.
Cyberterrorism
the use of the Internet to conduct violent acts that result in, or threaten, loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation.
Why are employees the greatest threat to information security?
they are the closest to the organizational data and will have access by nature of their assignments. They are the ones who use it in everyday activities, and employee mistakes represent a very serious threat to the confidentiality, integrity, and availability of data.
What capability does Beats provide?
to facilitate the shipping of endpoint logs to Security Onion's Elastic Stack
Ransomware
type of malware from crypto virology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid.
Resistance to change reduction methods
unfreezing: Thawing hard-and-fast habits and established procedures. Preparing the organization for upcoming changes facilitates the implementation of new processes, systems, and procedures. Training and awareness programs assist in this preparation moving: Transitioning between the old way and the new. The physical implementation of new methods, using the strategies outlined earlier in this chapter, requires the organization to recognize the cessation of old ways of work and reinforces the need to use the new methods. refreezing: The integration of the new methods into the organizational culture, which is accomplished by creating an atmosphere in which the changes are accepted as the preferred way of accomplishing the necessary tasks.
Tunneling Mode
used to encrypt traffic between secure IPSec Gateways, for example two Cisco routers connected over the Internet via IPSec VPN.
Web-base security protocols
used to provide for secure transactions between Internet users and Web sites
Electronic Communications Privacy Act
was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer, added new provisions prohibiting access to stored electronic communications, i.e., the Stored Communications Act, and added so-called pen trap provisions that permit the tracing of telephone communications.
What can be done to prevent unintended consequences?
white list the trusted IP
Top-Down Approach
your IT department is not solely focused on your company's tech stack while management is solely focused on the company mission and objectives. These are no longer siloed departments; they are interwoven and dependent on each other to ensure success.
What is Security Onion?
"Security Onion Solutions, LLC is the creator and maintainer of Security Onion, a free and open source platform for threat hunting, network security monitoring, and log management. Security Onion includes best-of-breed open source tools such as Suricata, Zeek, Wazuh, the Elastic Stack, among many others." (Security Onion Solutions https://securityonionsolutions.com/)
SMTP
(Simple Mail Transfer Protocol) The main protocol used to send electronic mail from server to server on the Internet.
SDLC
(Systems development life cycle) information systems and software engineering, the systems development life cycle, also referred to as the application development life-cycle, is a process for planning, creating, testing, and deploying an information system.
Wireless Protocols
(WEP, WPA, WPA2 and WPA3)
Confidentiality
(assurance that information is shared only among authorized people or organizations
Asset
(n.) something of value; a resource; an advantage
Polymorphic
(of a feature of a programming language) allowing routines to use variables of different types at different times.
Traffic Analysis
- This is a method of uncovering information by watching traffic patterns on a network. - Traffic padding can be used to counter this kind of attack, in which decoy traffic is sent out over the network to disguise patterns and make it more difficult to uncover them
60% rule
1 minute to detect, 10 minutes to investigate and 60 minutes to remediate.
Vulnerability Intelligence sources
1. Vendors - provides either direct support of indirect tools that allow user communities to support each other; intel on emerging threats 2. CERT organizations - provide notification services for free 3. Public network sources - mailing lists and Websites available to orgs and people 4. Membership sites - various groups and orgs; add contextual detail to publicly reported events and offering filtering capabilities
POP3 Port
110
MS RPC Port
135
NetBIOS Port
137-139
SNMP Port
161
FTP (File Transfer Protocol) Port
20, 21
SSH Port
22
Telnet Port
23
SMTP Port
25
syslog port
514
DNS Port
53
Software, hardware, data, people, procedures, networks
6 components of an information system
DHCP Port
67, 68
Echo (ICMP/Ping) Port
7
HTTP Port
80
XOR
A Boolean logic operation that is widely used in cryptography as well as in generating parity bits for error checking and fault tolerance.
What is at the bottom of each log dashboard?
A Log panel that exposes all the little tiny details about each individual log.
ARPANET
A computer network developed by the Advanced Research Project Agency (now the Defense Advance Research Projects Agency) in the 1960s and 1970s as a means of communication between research laboratories and universities. it was the predecessor to the Internet.
Hash function/Algorithm
A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes. The values are used to index a fixed-size table called a hash table.
Bastion Host
A heavily secured server located on a special perimeter network between the company's secure internal network and its firewall.
Best Practice
A management process, technique, or method that is most effective at arriving at a desired outcome or better outcome than any other process, technique, or method.
Non-Discretionary Access Control
A means of restricting access to objects based on the sensitivity (as represented by a security label) of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity.
Exposure factor
A measure of the magnitude of loss of an asset. Used in the calculation of single loss expectancy (SLE).
Bottom-up approach
A method of establishing security policies and/or practices that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems.
Public Key Encryption
A method of paired key encryption in which the key used to encrypt data is made available to anybody and its corresponding decryption key is kept secret.
Virus
A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data
Difference analysis
A procedure that compares the current state of a network segment against a known previous state of the same network segment (the baseline of systems and services).
Deliverable
A product, such as a report or segment of software code, produced as part of a project
policy
A proposed or adopted course or principle of action
Angler phishing
A relatively new attack vector, social media offers a number of ways for criminals to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware.
Risk acceptance
A risk response strategy whereby the project team decides to acknowledge the risk and not take any action unless the risk occurs.
Risk Transference
A risk response strategy whereby the project team shifts the impact of a threat to a third party, together with ownership of the response.
Rainbow Table
A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.
Whitebox Testing
A testing approach that uses knowledge of a program/module's underlying implementation and code intervals to verify its expected behavior.
Corrective Actions
A type of change request that typically occurs during the Monitoring and Controlling processes. Corrective actions bring the work of the project back into alignment with the project plan.
Private Key Encryption
A type of encryption where only the two parties involved in sending the message have the code.
Calculate ARO and ALE
ALE = SLE x ARO
List the data types Security Onion accepts. For each data type, name a tool within Security Onion that provides the data type?
Agent, Alert, Asset, Extracted Content, Full content, session and transaction
Risk control
An action taken to manage a risk.
Within Security Onion what tools can an analyst pivot to from netsniff-ng?
An analyst can pivot from Sguil and CapME
active vulnerability scanner
An application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers.
Wireless Vulnerability Assessment
An assessment approach designed to find and document vulnerabilities that may be present in the organization's wireless local area networks.
Buffer overflow
An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer. And is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations
Symmetric encryption
An encryption method whereby the same key is used to encode and to decode the message
procedures
An established or official way of doing something
Attack
Any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset.
Cost Benefit Analysis (CBA)
Approach to determining the financial impact of an organization's activities and programs on profitability, through a process of data or calculation comparing value created against the cost of creating that value.
Program Review
As policy needs shift, a thorough and independent review of the entire information security program should be undertaken.
What capability does autoruns provide?
Auto runs shows the analyst all the programs that are in the auto run folder and other auto run folders
Five strategies for controlling risk
Avoidance. Acceptance. Mitigation. Transferal. Exploitation
Best Practices for creating firewall sets
Block traffic by default and monitor user access. Establish a firewall configuration change plan. Optimize the firewall rules of your network. Update your firewall software regularly. Conduct regular firewall security audits. Have a centralized management tool for multi-vendor firewalls. Automate the process of firewall updating
Quantitative Assessment
Collects data that can be analyzed using quantitative methods - an assessment for accountability.
Qualitative Assessment
Collects data that does not lend itself to quantitative methods but rather to interpretive criteria
CERT
Computer Emergency Response Team. A group of experts that respond to security incidents. Also known as CIRT, SIRT, or IRT.
CIA Triad
Confidentiality, Integrity, and Availability. These three components are frequently used to conveniently articulate the objectives of a security program that must be used in harmony to make sure an information system is secure and usable.
What additional features are added to Elastic Stack in Security Onion
Curator, DomainStats, ElastAlert, and FreqServer
Security & Freedom through Encryption Act
Declares that it is U.S. policy to protect public computer networks through the use of strong encryption technology, promote the export of encryption products developed and manufactured in the United States, and preserve public safety and national security.
Risk
Degree of uncertainty of return on an asset; in business, the likelihood of loss or reduced profit.
Vulnerability Assessment
Determines the potential impact of disruptive events on the organization's business processes.
DHCP
Dynamic Host Configuration Protocol is a network management protocol used on Internet Protocol networks, whereby a DHCP server dynamically assigns an IP address and other network configuration parameters to each device on the network, so they can communicate with other IP networks
Legal requirements to use a packet sniffer on a network
Federal law makes it illegal to intercept electronic communications, but it includes an important exception. It's not illegal to intercept communications "made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public."
FTP
File Transfer Protocol uses a TCP-based network to pass files from host to host.
Tools for planning, coordinating a project
Gantt, PERT, Network Scheduling, WBS
What two tools could the analyst use to analyze the downloaded pcap?
He could use WireShark or Network Miner.
What was the 1st analysis tool used by the analyst?
He used NIDS.
Which of the tools from Q16 did the analyst use to analyze the downloaded pcap?
He used Network Miner.
What was the origin of the sample pcap for the demonstration?
He used the sample pcap files built into the ISO image. It came from malwaretrafficanalysis.net run by Brad Duncan.
Data contingency Strategies
Hot, warm, cold, time-share, service bureau and mutual agreement
HTTP
HyperText Transfer Protocol - the protocol used for transmitting web pages over the Internet
HTTPS
Hypertext Transfer Protocol Secure. Encrypts HTTP traffic with SSL or TLS using port 443.
Risk Management Phases
Identifying risk, asserting its relative magnitude, and taking steps to reduce it to an acceptable level.
IPSecurity (IPSec)
In computing, Internet Protocol Security is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks.
What capability does Curator provide
It allows you to manage or create Elasticsearch indices and snapshots
According to the Security Onion documentation, what types of log files can be created with Zeek? (please note Zeek actually can generate more logs than what is listed in the Security Onion documentation).
It creates conn.log, dns.log, ftp.log, http.log, ssl.log, notice.log and many more
When using the tool from Q17, what did the analyst uncover?
It downloaded a specific .dll file but also a .zip file.
What is data exfiltration?
It is an unauthorized data transaction from an infected computer. It is a form of data theft.
Honeypot
It mimics a target for hackers, and uses their intrusion attempts to gain information about cybercriminals and the way they are operating or to distract them from other targets.
Did CapME provide the entire pcap? If not, what did the analyst have to do?
It only shows the first 500,000 bytes of the transcript, so no. He had to download the pcap and opened it in Network Miner
By default, Kibana provides timestamps in what time zone? How could this be a detriment to a security analyst?
Kibana's timestamps are set to UTC. This could be a detriment because the security analyst may get confused and may think the attack happened at a different time than it actually did.
Methods to prevent software piracy
Legal protection, Product key, Tamper proofing, and Watermarking
Email phishing
Most phishing attacks are sent by email. The crook will register a fake domain that mimics a genuine organization and sends thousands out thousands of generic requests. Alternatively, they might use the organization's name in the local part of the email address (such as [email protected]) in the hopes that the sender's name will simply appear as 'PayPal' in the recipient's inbox.
What type of data types can be supported by Sguil?
NIDS alerts are supported if they are from Snort/Suricata (if snort_agent is enabled). It also supports HIDS alerts if they are from OSSEC (if ossec_agent id enabled).
What network visibility tools are included in Security Onion?
NIDS, Snort, Suricata, Zeek, and netsniff-ng
What tool did Wazuh replace?
OSSEC
LFM (Log file monitor)
Once an event is detected, the monitoring system will send an alert, either to a person or to another software/hardware system. Monitoring logs help to identify security events that occurred or might occur. This software article is a stub.
What is the meaning of the term: pcap
PCAP stands for Packet Capture and it is a type of file
types of traffic seen via CapME?
POST and GET requests, and temporary redirects
Footprinting
Refers to the process of collecting as much as information as possible about the target system to find ways to penetrate into the system. An Ethical hacker has to spend the majority of his time in profiling an organization, gathering information about the host, network and people related to the organization. Information such as IP address, Who is records, DNS information, an operating system used, employee email id, Phone numbers etc. is collected.
policy administrator
Responsible for creation, revision, distribution and storage of policy
Security protocols used to protect email (PEM, PGP, S/MIME)
SSL, TLS, and STARTTLS
The so-import-pcap tool provided a URL for what purpose?
Shows the user all the alerts and logs that were created as a result of importing that file.
What are the two NIDS systems supported within Security Onion? Which system is default in evaluation mode?
Snort and Suricata. In evaluation mode Security Onion defaults to Snort.
What data types can be supported by Squert?
Squert supports NIDS and HIDS alerts.
Which Security Onion analysis tool(s) support NIDS data?
Squert, Kibana, and Sguil.
Predecessors/Successors
Tasks or action steps that come before the specific task at hand are called _____, and those that come after the task at hand are called _____.
DNS
The Internet's system for converting alphabetic names into numeric IP addresses.
Risk appetite
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
Security Blueprint
The basis for the design, selection and implementation of all security program elements including policy implementation, ongoing policy management, risk management programs, education and training programs, technological controls, and maintenance of the security program.
Vulnerability Assessment and Remediation domain
The component of the maintenance model focused on identifying specific, documented vulnerabilities and remediating them in a timely fashion.
If a tech store accidentally included a word-processing program with the shipment of your ordered item, would it be ethical to keep the program?
The customer's decision to keep the word-processing program was unethical, because the customer should have at least gotten in contact with the store to send the program back or find out if he needed to pay for it.
Physical Security
The implementation and practice of various control mechanisms that are intended to restrict physical access to facilities.
C.I.A. triad
The industry standard for computer security since the development of the mainframe. The standard is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.
If a manager used free version of a sniffing program to find out more information about her organization's competitor, would it be ethical for her to do this?
The manager's actions were unethical, because she did pay to use the service but she was not using it for its intended purpose. She was using it to find more information on the competitors and the competitor's clients to benefit her company.
What alert was the most interesting to the analyst? Why would this type of data be of most interest?
The most interesting was Data exfil. Because he explained that when a computer sends a packet like that, it is most likely, malware that is installed on the computer sending information to its hacker/creator.
Damage Assessment
The process of assessing damage, following a disaster, to computer hardware, vital records, office facilities, etc. And determining what can be salvaged or restored and what must be replaced.
Strategic Plan
The process of defining and specifying the long term direction to be taken by and organization.
Incident Classification
The process of examining an incident candidate and determining whether it constitutes an actual incident.
Change control
The process of performing an impact analysis and obtaining approval before modifications to the project scope are made
Computer Security
The protection of a computer system and its data from accidental or intentional loss and tampering.
Would not citing a programmer when using a specially created program be ethical?
The scientist's failure to acknowledge the computer programmer was unethical, because without the programmer the scientist would not have been able to prove his theory.
Technical Controls
The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.
IDPS control Strategies
The three commonly utilized control strategies are centralized, partially distributed, and fully distributed. With a centralized IDPS control strategy all IDPS control functions are implemented and managed in a central location. Using a fully distributed IDPS control strategy is the opposite of the centralized strategy. Each monitoring site uses its own paired sensors to perform its own control functions to achieve the necessary detection, reaction, and response functions. Thus, each sensor/agent is best configured to deal with its own environment. In a partially distributed IDPS control strategy the better parts of the other two strategies are combined. While the individual agents can still analyze and respond to local threats, their reporting to a hierarchical central facility enables the organization to detect widespread attacks. This blended approach to reporting is one of the more effective methods of detecting intelligent attackers, especially those who probe an organization through multiple points of entry, trying to scope out the systems' configurations and weaknesses, before they launch a concerted attack.
List the type of data exfiltrated from the computer?
The zip file contained autofill information from Google Chrome, has broad information about the victim computer, and a screenshot.
Why do some old vulnerabilities still work?
These vulnerabilities still work because they are hard to completely patch. Bad programming can allow for these attacks to work. It is the security professional's job to find these vulnerabilities and assist in patching them. End users do need to be educated in security and "don't click the link", but they should be put in exercises that test to see if they remember what they were trained about. I would disable the usage of HTML tags in comments and posts. As for the buffer overflow I would program multiple layers of backup space for the buffer on a one terabyte hard disk drive.
What SO tools were the source of the logs?
They came from Http transactions, DNS lookups, network-based IDS alerts and etc.
According to Security Onion documentation, what feature has been removed from Sguil to increase performance? How could this adversely affect the Security Analyst?
They disabled the automatic DNS lookup of the source and destination IP addresses. This could adversely affect the analyst because it would take them more time to run the DNS lookup than if the computer did them. It makes the process take longer
network-based IDPS
This type of IDPS monitors network traffic for specific network segments and devices. It analyzes the network and application protocol activity to identify suspicious and abnormal activity.
Certification
This year's list includes entry-level credentials, such as Security+, as well as more advanced certifications, such as the CEH, CISSP, CISM, and CISA. We also offer some additional certification options in the last section that cover choices outside our top five, because the field of information security is both wide and varied, with many other options. According to Cyber Seek, more employers are seeking CISA, CISM, and CISSP certification holders than there are credential holders which makes these credentials a welcome addition to any certification portfolio.
What did the analyst look at to see the entire packet capture?
To see the entire packet capture he clicked the hyperlink in the _ID field. The hyper link takes him to CapME which shows him the whole TCP exchange and outputs it in an ASCII transcript.
TLS
Transport Layer Security. Used to encrypt traffic on the wire. TLS is the replacement for SSL and like SSL, it uses certificates issued by CAs. PEAP-TLS uses TLS to encrypt the authentication process and PEAP-TLS requires a CA to issue certificates.
Registration authority
Validates the user's identity and then sends a request to another entity to fulfill user's request
Authentication Mechanisms
Ways that the network can validate who is and who isn't allowed access to the network.
Whaling
Whaling attacks are even more targeted, taking aim at senior executives. Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler.
Technological obsolescence
When a technical product or service is no longer needed or wanted even though it could still be in working order.
Accountability
Willingness to take credit and blame for actions.
List two of the NIDS alerts displayed to the analyst? This question can be answered with a list.
Windows ".exe"s and Client data uploads
Smishing and vishing
With both smishing and vishing, telephones replace emails as the method of communication. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.
What is/are sources for pcap files?
You can use sample pcap files they supply or you can use your own pcap file.
Weighted factor analysis
___ is the process of assigning scores for critical factors, each of which is weighted in importance by the organization.
Computer Fraud & Abuse Act
a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. The law prohibits accessing a computer without authorization, or in excess of authorization.
Book Cipher
a cipher in which the key is some aspect of a book or other piece of text. Books, being common and widely available in modern times, are more convenient for this use than objects made specifically for cryptographic purposes.
Change Management
a collective term for all approaches to prepare, support, and help individuals, teams, and organizations in making organizational change.
Threat
a communicated intent to inflict harm or loss on another person. Intimidation is widely observed in animal behavior chiefly in order to avoid the unnecessary physical violence that can lead to physical damage or the death of both conflicting parties. A threat is considered an act of coercion.
UDP
a communications protocol that is primarily used for establishing low-latency and loss-tolerating connections between applications on the internet. It speeds up transmissions by enabling the transfer of data before an agreement is provided by the receiving party.
ICMP/Ping
a computer network administration software utility used to test the reachability of a host on an Internet Protocol network. It is available for virtually all operating systems that have networking capability, including most embedded network administration software.
Metasploit Framework
a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.
Defense In Depth
a concept used in Information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical security for the duration of the system's life cycle.
TCP
a connection-oriented protocol, which means a connection is established and maintained until the application programs at each end have finished exchanging messages. It determines how to break application data into packets that networks can deliver, sends packets to and accepts packets from the network layer, manages flow control and -- because it is meant to provide error-free data transmission -- handles retransmission of dropped or garbled packets and acknowledges all packets that arrive.
Privacy
a connotation of larger organizations, which requires a detailed understanding of the law that assists citizens against the law of nations, while security is a practice of the protection of information that provides care for the declared strategic asset.
Asymmetric encryption
a cryptographic system that uses pairs of keys: public keys, which may be disseminated widely, and private keys, which are known only to the owner.
Denial of Service (DoS)
a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users (i.e. employees, members, or account holders) of the service or resource they expected.
What capability does Logstash provide
a data processing pipeline that is able to handle input of data from many different sources simultaneously, transforms it and then sends it to your favorite stash
Standard
a detailed statement of what must be done to comply with policy.
Application Layer Proxy FW
a device capable of functioning as both a firewall and an application layer proxy server.
Disaster Recovery and DR Plan
a documented process or set of procedures to execute an organization's disaster recovery processes and recover and protect a business IT infrastructure in the event of a disaster. It is "a comprehensive statement of consistent actions to be taken before, during and after a disaster".
Task-based Access Controls
a flexible security mechanism, which has been widely implemented in workflow management systems. Permissions are assigned to tasks and users can only obtain the permissions during the execution of tasks.
Guidelines
a general rule, principle, or piece of advice.
What is Elastic Stack
a group of open source applications that is designed to aid users in analyzing, searching, and visualizing almost any kind of data in real time
Financial Services Modernization Act
a law passed in 1999 that partially deregulates the financial industry. The law allowed banks, insurers, and securities firms to start offering each other's products, as well as to affiliate with each other.
Civil Law
a legal system originating in Continental Europe and adopted in much of the world. The civil law system is intellectualized within the framework of Roman law, and with core principles codified into a referable system, which serves as the primary source of law.
Certificate revocation list (CRL)
a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted.
Access Control List (ACL)
a list of permissions associated with an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation.
signatures
a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital *********, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authentication), and that the message was not altered in transit (integrity).
Firewall
a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. it typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.
Stateful Firewall
a network-based firewall that individually tracks sessions of network connections traversing it. ******** packet inspection, also referred to as dynamic packet filtering, is a security feature often used in non-commercial and business networks.
Botnet
a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service attacks, steal data, send spam, and allow the attacker to access the device and its connection.
Passive vulnerability scanner
a patented network discovery and vulnerability analysis software solution that delivers real-time network profiling and monitoring for continuous assessment of an organization's security posture in a non-intrusive manner. PVS monitors network traffic at the packet layer to determine topology, services, and vulnerabilities. Where an active scanner takes a snapshot of the network in time, PVS behaves like a security motion detector on the network.
Hacker
a person who uses computers to gain unauthorized access to data.
Exploit
a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.
Benchmarking
a process by which a company compares its performance with that of high-performing organizations
Configuration Management
a process for maintaining computer systems, servers, and software in a desired, consistent state. It's a way to make sure that a system performs as it's expected to as changes are made over time.
Trojan Horse
a program designed to breach the security of a computer system while ostensibly performing some innocuous function.
Encapsulating Security Payload (ESP)
a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs). IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).[1] IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks. It supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection.
Authorization
a security mechanism to determine access levels or user/client privileges related to system resources including files, services, computer programs, data and application features.
Worm
a self-replicating program able to propagate itself across a network, typically having a detrimental effect.
Dynamic Filtering
a set of fields and values that can be configured to appear on the left side of a report. These filters allow you to quickly narrow down the data displayed to only those records you care about. If the report is shown on a table Home page.
Incident Response and IR Plan
a set of instructions to help IT staff detect, respond to, and recover from network security incidents. These types of plans address issues like cybercrime, data loss, and service outages that threaten daily work.
What capability does ElastAlert provide
a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch
Blackbox Testing
a software testing method in which the functionalities of software applications are tested without having knowledge of internal code structure, implementation details and internal paths.
Blackout
a suppression of information, especially one imposed on the media by government. a failure of electrical power supply.
Data Encryption Standard (DES)
a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for applications, it has been highly influential in the advancement of cryptography.
3DES
a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block.
Exposure
a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. Allows an attacker to conduct information gathering activities.
Laws
a system of rules created and enforced through social or governmental institutions to regulate behavior, with its precise definition a matter of longstanding debate. It has been variously described as a science and the art of justice.
Discretionary Access Control
a type of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
Gap Analysis
a type of analysis that compares the differences between the consumer's expectations about and experiences with a service based on dimensions of service quality
Birthday Attack
a type of cryptographic attack that exploits the mathematics behind the birthday problem in probability theory. This attack can be used to abuse communication between two or more parties.
cryptogram
a type of puzzle that consists of a short piece of encrypted text. Generally the cipher used to encrypt the text is simple enough that the cryptogram can be solved by hand. Substitution ciphers where each letter is replaced by a different letter or number are frequently used.
Shoulder Surfing
a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder, either from keystrokes on a device or sensitive information being spoken and heard, also known as eavesdropping.
Bot
a type of software application or script that performs automated tasks on command. Bad bots perform malicious tasks that allow an attacker to remotely take control over an affected computer. Once infected, these machines may also be referred to as zombies.
Vulnerability
a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.
List the analysis tools available in Security Onion? For each analysis tool provide a short description.
a. Sguil - analyst console for NSM; built by Network Security Analyst for Network Security Analyst; provides access to realtime events, session data and raw packet captures. Supports NSM and event driven analysis. b. Squert - GUI front end to Sguil DB. Used to query and view event data stored in a Sguil DB c. Kibana - visualize/search engine into NIDS/HIDs and Zeek logs d. NetworkMiner - Network Forensic Analysis Tool (NFAT) . Can be used as a passive network sniffer/packet capturing tool or to parse PCAP files for offline analysis. Perform advanced Network Traffic Analysis. e. Wireshark - network protocol analyzer; see microscopic levels of what is happening in your network f. elasticsearch - ingest and index logs g. logstash - parse and format logs If the answer comes from analyst Tool list the following replace Elasticsearch and Logstash' h. Browser - GUI for displaying HTML files; many tools are browser-based; chromium-based browsers are recommended; Google chrome i. CapME - provides rendering (displaying) of pcap transcripts from tcpflow, Zeek or downloaded pcap; note rendering (IT) is the prcess of generating a final difital product fom a specific type of input. j. CyberChef - supports encoding and encryption techniques like XOR, Base64, AES, DES and Blowfish.
What capability does netsniff-ng provide?
a. provides the capabilities to collect full packet capture in the form of pcap files.
Wazuh can provide an active response; how may this affect the analyst?
accidentally blocking a trusted IP or Blocking out the analyst
Transport Mode
an IPSec mode in which only the IP data is encrypted, not the IP headers
Milestone
an action or event marking a significant change or stage in development.
Cipher
an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment.
What tools can an analyst pivot to from Squert natively in Security Onion?
an analyst can pivot to Wazuh logs, syslog, or Zeek logs
What tools can an analyst pivot to from Sguil natively in Security Onion?
an analyst can pivot to transcript/Wireshark/NetworkMiner and Kibana.
Authenticity
an attribute of information that describes how data is genuine or original rather than reproduced or fabricated.
Digital Certificate
an electronic "password" that allows a person, organization to exchange data securely over the Internet using the public key infrastructure (PKI). Also known as a public key certificate or identity certificate.
Certificate authority
an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.
Asymmetric encryption
an example of one type. Unlike "normal" (symmetric) encryption, Asymmetric Encryption encrypts and decrypts the data using two separate yet mathematically connected cryptographic keys. These keys are known as a 'Public Key' and a 'Private Key.
MULTICS
an influential early time-sharing operating system based on the concept of a single-level memory. Multics "has influenced all modern operating systems since, from microcomputers to mainframes." Initial planning and development for Multics started in 1964, in Cambridge, Massachusetts. First operating system to integrate securities in its core functions.
host-based IDPS
an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates.
What type of analysis can an analyst do with Security Onion?
any analysis that has Host, Network, Session, Asset, Alert and Protocol data
Malware
any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and scareware.
Telnet
application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection.
Forces of Nature
are dangerous because they are unexpected and come without very little warning. They disrupt lives of individuals but also causes damage to information that is stored within computers.
Operational control
are security controls that are primarily implemented and executed by people (as opposed to systems). These controls are put in place to improve the security of a particular system (or group of systems).
What capability does Wazuh provide
as a Host Intrusion Detection System or HIDS for short
Availability
assurance that information systems and the necessary data are available for use when needed
integrity
assurance that the information is complete and uncorrupted
Why can we argue that information security is really an application of social science?
because there are a lot of errors and mistakes people can make to cause a data breach or security breach at their place of employment. The one highest vulnerability for computer systems are the end users. Hackers exploit this with different kinds of attacks, piggy backing, phishing, smishing, vishing, and many more.
Aggregate Information
collective data that relate to a group or category of services or customers, from which individual customer identities or characteristics have been removed.
What capability does syslog provide
collects logs from any known source and processes them in real-time and can deliver them to known destinations
Governance
comprises all of the processes of governing - whether undertaken by the government of a state, by a market or by a network - over a social system and whether through the laws, norms, power or language of an organized society.
SDLC Models
conceptual framework describing all activities in a software development project from planning to maintenance. This process is associated with several models, each including a variety of tasks and activities.
3 criteria for planning information security
confidentiality, integrity, and availability
Brute force Attack
consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
Network Security
consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources.
Application header (AH)
contains and displays global tools and navigation. Use a header for every app. Be sure to display the relevant mode of this header to provide a consistent experience.
Four approaches to implementation
conversion: direct, parallel, pilot, and phased.
Backdoor
covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Back doors are most often used for securing remote access to a computer, or obtaining access to plain text in cryptographic systems.
What type of data types can be supported by NetworkMiner?
data types from Network Intrusion Detection Systems (NIDS) and/or Host-based Intrusion Detection Systems (HIDS).
Digital Forensics
deals with the recovery and investigation of material found in digital devices. It is most often used in cybercrime situations, including but not limited to: attribution. identifying leaks within an organization.
Spear phishing
describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the following information about the victim: Their name; Place of employment; Job title; Email address; and Specific information about their job role.
Static filtering Firewall
examines each packet against a set of rules. If the rules allow this type of packet through, then it is passed through, otherwise it is dropped or rejected depending on the specifications of the rule.
VPN
extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
Phishing
fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication.
Demilitarized Zone
functions as a subnetwork containing an organization's exposed, outward-facing services. It acts as the exposed point to an untrusted networks, commonly the Internet.
Domain Name Service (DNS)
hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.
Annual Rate of Occurence (ARO)
identifies how often in a single year the successful threat attack will occur.
How would this information support an analyst
if a virus is in the autorun folders/registries it helps find the malware and virus quicker.
Methodology
is "'a contextual framework' for research, a coherent and logical scheme based on views, beliefs, and values, that guides the choices researchers [or other users] make. a system of methods used in a particular area of study or activity.
What capability does System Monitor (Sysmon) provide?
is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Ethics
is a branch of philosophy that "involves systematizing, defending, and recommending concepts of right and wrong behavior". The field of ethics, along with aesthetics, concerns matters of value, and thus comprises the branch of philosophy called axiology.
Packet Sniffer
is a computer program, or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic.
Dictionary Attack
is a form of brute force attack technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying thousands or millions of likely possibilities, such as words in a dictionary or previously used passwords, often from lists obtained from past security breaches.
Distributed Denial of Service (DDoS)
is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices.
Diffie Hellman
is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman.
SSH
is a network protocol for secure transfer of data between computers.
Risk Management (RM)
is a process in which businesses identify, assess, and treat risks that could potentially affect their business operations.
Digital signature
is a process that guarantees that the contents of a message have not been altered in transit. When you, the server, digitally sign a document, you add a one-way hash (encryption) of the message content using your public and private key pair.
General Data Protection Regulation
is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
Spoofing
is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage.
Advanced Encryption Standard
is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology in 2001.
Framework
is an abstraction in which software providing generic functionality can be selectively changed by additional user-written code, thus providing application-specific software.
Role-based Access Controls
is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can implement mandatory access control or discretionary access control.
Polyalphabetic
is any cipher based on substitution, using multiple substitution alphabets. The ******** cipher is probably the best-known example of a polyalphabetic cipher, though it is a simplified special case.
Intrusion
is any unauthorized activity on a computer network. In most cases, such unwanted activity absorbs network resources intended for other uses, and nearly always threatens the security of the network and/or its data.
Internet Vulnerability Assessment
is designed to find and document vulnerabilities that may be present in the organization's public network.
Penetration Testing
is similar to a cyber-attack where a cyber security professional tries to exploit weaknesses in the security to get into the organization's network.
Content Filter/Reverse FW
is software that restricts or controls the content an Internet user is capable to access, especially when utilized to restrict material delivered over the Internet via the Web, e-mail, or other means.
Non-Repudiation
is the assurance that someone cannot deny something. Typically, it refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.
Performance Baseline
is the average level of performance that you are currently at, and that you will compare future performance levels with to test if performance is really changing.
Information Aggregation
is the compiling of information from databases with intent to prepare combined datasets for data processing.
Internal Monitoring Domain
is the component of the maintenance model that focuses on identifying, assessing, and managing the configuration and status of information assets in an organization. The internal monitoring domain is different from the external monitoring domain because it is more focused on the configuration and assessing the current configurations on hardware devices.
"out of band"
is the data transferred through a stream that is independent from the main in-band data stream. An out-of-band data mechanism provides a conceptually independent channel, which allows any data sent via that mechanism to be kept separate from in-band data.
Due Diligence
is the investigation or exercise of care that a reasonable business or person is normally expected to take before entering into an agreement or contract with another party or an act with a certain standard of care.
Integrity
is the practice of being honest and showing consistent and uncompromising adherence to strong moral and ethical principles and values. In ethics, ********* is regarded as the honesty and truthfulness or accuracy of one's actions.
Information Security
is the practice of protecting information by mitigating information risks. It is part of information risk management.
Encryption/Decryption
is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information.
Social Engineering
is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information.
External Monitoring Domain
is to provide information about new and upcoming threats, vulnerabilities, threat agents, and attacks. Some data sources are vendors, CERT organizations, public network sources, and membership sites. The domain supports incident response because the information that the domain provides organizations with the information, they need to implement new security measures.
SPAN port
is used on a network switch to send a copy of network packets seen on one switch port to a network monitoring connection on another switch
Certificate chaining
is used to establish a chain of trust from a peer certificate to a trusted CA certificate. Each certificate is verified using another certificate, creating a chain of certificates that ends with the root certificate.
Open port
is used to mean a TCP or UDP port number that is configured to accept packets. In contrast, a port which rejects connections or ignores all packets directed at it is called a closed port.
Intranet Vulnerability Assessment
it is designed to find and document selected vulnerabilities that are likely to be present on the organization's internal network.
Transposition
method of encryption by which the positions held by units of plaintext
Negative feedback loop
occurs when some function of the output of a system, process, or mechanism is fed back in a manner that tends to reduce the fluctuations in the output, whether caused by changes in the input or by other disturbances
Management/managerial Controls
one of the primary functions of management, and it involves setting performance standards, measuring performance and taking corrective actions when necessary.
Factors affecting Organization's information security environment
physical security, vulnerability, infrastructure, awareness, access control, risk, resources, organizational factors, CIA, continuity, security management, compliance & policy.
Key
piece of information (a parameter) that determines the functional output of a cryptographic algorithm. For encryption algorithms, a key specifies the transformation of plaintext into ciphertext, and vice versa depending on the decryption algorithm.
Business Impact Analysis (BIA)
predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.
Annualized Loss Expectancy (ALE)
product of the annual rate of occurrence and the single loss expectancy
SSL
protocol to manage the security of the website by encrypting the data exchanged in that site
What capability does Zeek provide?
provides network traffic visibility and is able to perform threat detection, incident response, and forensics all in one application/command line tool.
Screen host architectures
provides services from a host that's attached to only the internal network, using a separate router.
Behavior based IDPS
references a baseline or learned pattern of normal system activity to identify active intrusion attempts. Deviations from this baseline or pattern cause an alarm to be triggered.
Fingerprinting
refers to a set of information that can be used to identify network protocols, operating systems, hardware devices, software among other things.
Due Care
refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. It refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.
Screen subnet firewall
refers to the use of one or more logical screening routers as a firewall to define three separate subnets: an external router, that separates the external network from a perimeter network, and an internal router that separates the perimeter network from the internal network.
monoalphabetic
relies on a fixed replacement structure. That is, the substitution is fixed for each letter of the alphabet. Thus, if "a" is encrypted to "R", then every time we see the letter "a" in the plaintext, we replace it with the letter "R" in the ciphertext.
signature based IDPS
relies on a preprogramed list of known indicators of compromise (IOCs). An IOC could include malicious network attack behavior, content of email subject lines, file hashes, known byte sequences, or malicious domains. Signatures may also include alerts on network traffic, including known malicious IP addresses that are attempting to access a system.
Gramm-Leach-Bliley
requires financial institutions - companies that offer consumers financial products or services like loans, financial or investment advice, or insurance - to explain their information-sharing practices to their customers and to safeguard sensitive data.
What capability does Elasticsearch provide
search and analytical engine that is capable of solving a growing number of use cases
